| File name: | 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader |
| Full analysis: | https://app.any.run/tasks/afe69046-8644-4d57-97a5-cc0c4c39d4a1 |
| Verdict: | Malicious activity |
| Analysis date: | April 29, 2025, 10:50:57 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections |
| MD5: | 428D1300FDB70A3F1ED05DD3528E90C7 |
| SHA1: | A242460B193172366E6336FD4BB294CE90FAF38C |
| SHA256: | FFADB4CA6AB7C8E3623210B4DBD41D0921894E97860F31480084096627D14314 |
| SSDEEP: | 98304:h4bF8ttgGY/srGGGGGGSnNfYU7zhiKC5U8kk/kdHPflEtLMH46qmHBHiBb+n5/Gx:Fw34 |
MALICIOUS
Changes the autorun value in the registry
- 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7012)
- mscaps.exe (PID: 6300)
- launch.exe (PID: 5064)
Loads dropped or rewritten executable
- FileCoAuth.exe (PID: 208)
- WdExt.exe (PID: 4620)
SUSPICIOUS
Executable content was dropped or overwritten
- explorer.exe (PID: 1764)
- @AEC99B.tmp.exe (PID: 5428)
- 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7012)
- WdExt.exe (PID: 4620)
- wtmps.exe (PID: 2504)
- mscaps.exe (PID: 6300)
Creates file in the systems drive root
- 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7012)
Process drops legitimate windows executable
- @AEC99B.tmp.exe (PID: 5428)
- WdExt.exe (PID: 4620)
Reads security settings of Internet Explorer
- @AEC99B.tmp.exe (PID: 5428)
- 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7012)
- WdExt.exe (PID: 4620)
- launch.exe (PID: 5064)
Executing commands from a ".bat" file
- @AEC99B.tmp.exe (PID: 5428)
- WdExt.exe (PID: 4620)
- launch.exe (PID: 5064)
The executable file from the user directory is run by the CMD process
- WdExt.exe (PID: 4620)
- wtmps.exe (PID: 2504)
- launch.exe (PID: 5064)
Starts CMD.EXE for commands execution
- WdExt.exe (PID: 4620)
- @AEC99B.tmp.exe (PID: 5428)
- launch.exe (PID: 5064)
There is functionality for taking screenshot (YARA)
- 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7012)
INFO
The sample compiled with english language support
- explorer.exe (PID: 1764)
- @AEC99B.tmp.exe (PID: 5428)
- WdExt.exe (PID: 4620)
Create files in a temporary directory
- explorer.exe (PID: 1764)
- WdExt.exe (PID: 4620)
- mscaps.exe (PID: 6300)
- @AEC99B.tmp.exe (PID: 5428)
Checks supported languages
- 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 1676)
- @AEC99B.tmp.exe (PID: 5428)
- 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7012)
- WdExt.exe (PID: 4620)
- launch.exe (PID: 5064)
- wtmps.exe (PID: 2504)
- mscaps.exe (PID: 6300)
Reads security settings of Internet Explorer
- explorer.exe (PID: 1764)
Creates files or folders in the user directory
- @AEC99B.tmp.exe (PID: 5428)
- 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7012)
- WdExt.exe (PID: 4620)
- launch.exe (PID: 5064)
- wtmps.exe (PID: 2504)
- mscaps.exe (PID: 6300)
Reads the computer name
- @AEC99B.tmp.exe (PID: 5428)
- 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7012)
- WdExt.exe (PID: 4620)
- launch.exe (PID: 5064)
Process checks computer location settings
- WdExt.exe (PID: 4620)
- @AEC99B.tmp.exe (PID: 5428)
- launch.exe (PID: 5064)
Aspack has been detected
- 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7012)
UPX packer has been detected
- 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7012)
Checks proxy server information
- @AEC99B.tmp.exe (PID: 5428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (30.9) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (27.3) |
| .exe | | | UPX compressed Win32 Executable (26.8) |
| .dll | | | Win32 Dynamic Link Library (generic) (6.5) |
| .exe | | | Win32 Executable (generic) (4.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2012:03:05 08:37:55+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 2560 |
| InitializedDataSize: | 29696 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x167f |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
145
Monitored processes
20
Malicious processes
6
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 208 | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneDriveFile Co-Authoring Executable Exit code: 0 Version: 19.043.0304.0013 Modules
| |||||||||||||||
| 1132 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1184 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1188 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Temp\admin1.bat" " | C:\Windows\SysWOW64\cmd.exe | — | WdExt.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1512 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Temp\admin1.bat" " | C:\Windows\SysWOW64\cmd.exe | — | @AEC99B.tmp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1676 | "C:\Users\admin\Desktop\2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe" | C:\Users\admin\Desktop\2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 1764 | explorer.exe | C:\Windows\SysWOW64\explorer.exe | 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1764 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Temp\admin0.bat" " | C:\Windows\SysWOW64\cmd.exe | — | @AEC99B.tmp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2108 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | — | SppExtComObj.Exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2504 | "C:\Users\admin\AppData\Local\Temp\wtmps.exe" | C:\Users\admin\AppData\Local\Temp\wtmps.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
3 974
Read events
3 962
Write events
12
Delete events
0
Modification events
| (PID) Process: | (7012) 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
| Operation: | write | Name: | Startup |
Value: C:\Users\admin\AppData\Local\Start | |||
| (PID) Process: | (7012) 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
| Operation: | write | Name: | Startup |
Value: C:\Users\admin\AppData\Local\Start | |||
| (PID) Process: | (7012) 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | NodeSlots |
Value: 02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
| (PID) Process: | (7012) 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | MRUListEx |
Value: 04000000030000000E00000000000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF | |||
| (PID) Process: | (7012) 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4 |
| Operation: | write | Name: | MRUListEx |
Value: 010000000000000004000000050000000200000003000000FFFFFFFF | |||
| (PID) Process: | (7012) 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000060B81DB4E48ED2119906E49FADC173CAAC000000 | |||
| (PID) Process: | (7012) 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D1A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000060B81DB4E48ED2119906E49FADC173CAAC000000 | |||
| (PID) Process: | (5064) launch.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Windows Defender Extension |
Value: "C:\Users\admin\AppData\Roaming\Microsoft\Defender\launch.exe" | |||
| (PID) Process: | (6300) mscaps.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | JREUpdate |
Value: "C:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe" /s /n /i:U shell32.dll | |||
Executable files
17
Suspicious files
13
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5428 | @AEC99B.tmp.exe | C:\Users\admin\AppData\Local\Temp\tmpD44C.tmp | binary | |
MD5:49C8F0DDD16D3DDF74D55709FF4E0D14 | SHA256:807D79214258A40731408CB343820A421E60DC105A4DAF766F3C4E85289219C3 | |||
| 7012 | 2025-04-11_428d1300fdb70a3f1ed05dd3528e90c7_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe | C:\Users\admin\AppData\Local\Start\update.exe | executable | |
MD5:8A6BDD6A84FE3487BD2D0F45261A6E9C | SHA256:5FEBDE0FF16F83E755CDBD4C7433CE7995AD9C2DE7B6199337E4921874DC9D2F | |||
| 1764 | explorer.exe | C:\Users\admin\AppData\Local\Temp\@AEC99B.tmp.exe | executable | |
MD5:7A2BE69C2A8ACEC7218D925B22693D84 | SHA256:5F50BAADAEF9420AF9D106CC59FF7F52DD82F587BB8F3B9CC2D700C790433217 | |||
| 4620 | WdExt.exe | C:\Users\admin\AppData\Roaming\Temp\mydll.dll | executable | |
MD5:FC4A6145DDD1B64983E8700601C71FC6 | SHA256:5D920A7A5486E7C1693334D59271F2A59A64B59A8FA87FA4BA71AACCE4CDF8A6 | |||
| 5428 | @AEC99B.tmp.exe | C:\Users\admin\AppData\Local\Temp\tmpD2B3.tmp | executable | |
MD5:E835E34E4C520203476B2CCD8DA9F362 | SHA256:75A3017F3FA6065824B9E59DCD0B9D99C86E29739BC2DDA3ACC5524EA7192530 | |||
| 5428 | @AEC99B.tmp.exe | C:\Users\admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | executable | |
MD5:7A2BE69C2A8ACEC7218D925B22693D84 | SHA256:5F50BAADAEF9420AF9D106CC59FF7F52DD82F587BB8F3B9CC2D700C790433217 | |||
| 5428 | @AEC99B.tmp.exe | C:\Users\admin\AppData\Roaming\Temp\mydll.dll | executable | |
MD5:FC4A6145DDD1B64983E8700601C71FC6 | SHA256:5D920A7A5486E7C1693334D59271F2A59A64B59A8FA87FA4BA71AACCE4CDF8A6 | |||
| 5428 | @AEC99B.tmp.exe | C:\Users\admin\AppData\Roaming\Temp\admin0.bat | text | |
MD5:F2D4F8A8491F3A5151B05D92F283EBEF | SHA256:CCC42E2A79C7DFE395EB6BD21CAD4D44D526C5A361953175573DB7B59BE57EBC | |||
| 4620 | WdExt.exe | C:\Users\admin\AppData\Local\Temp\tmpD68C.tmp | executable | |
MD5:2D9DF706D1857434FCAA014DF70D1C66 | SHA256:126593B3672E6985FE4E4903D656040E16A69264FAF91B1A416EF00565E17E7C | |||
| 4620 | WdExt.exe | C:\Users\admin\AppData\Roaming\Microsoft\Identities\admin\arc.dll | binary | |
MD5:8501E1FAEFA7B184FD627F822F53697C | SHA256:70E0437A0E6E9E00F1100EA438F95BA871EC51C55FBF2355B693F368596F605F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
18
DNS requests
14
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.42:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
6712 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
6712 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.216.77.42:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5496 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3216 | svchost.exe | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6544 | svchost.exe | 20.190.159.131:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6544 | svchost.exe | 184.30.131.245:80 | ocsp.digicert.com | AKAMAI-AS | US | whitelisted |
2104 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6712 | SIHClient.exe | 52.149.20.212:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
windowsupdate.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |